According to the ICO Rating report, it is found that only 46% of cryptocurrency exchanges meet the desired security parameters while the remaining 54% have sub-par security measures in place, leaving hundreds of investors and traders exposed. The same group of exchanges comprise of 100 exchanges, all have a 24-hour volume of over $1million.
Total of $1.3 billion has been stolen from hacked cryptocurrency exchanges since 2010 and yet it seems that cryptocurrency exchange operators have failed to take security into its deep consideration. This is one of the biggest attacks on cryptocurrencies and its huge loss cannot be undermined at all. Thus, in order to avoid hacks leading to significant losses, a cryptocurrency exchange platform need to have a comprehensive procedure for determining and eliminating information security vulnerabilities. However, post-incident measures can be effective; it is unlikely that they will reduce the negative consequences to zero.
For instance, Coinrail stated that 70% of the total coin and token reserves to be safely stored and moved to a cold wallet. Two-thirds of stolen cryptocurrencies were frozen in collaboration with coin companies.
Here, the purpose of writing this blog is to examine the common vulnerabilities that arise throughout the process of cryptocurrency exchange development. Let’s have a look:
Susceptibility of Cryptocurrency Exchanges to Phishing
The best technological measures cannot protect a crypto exchange against phishing attacks. In 2015, as a result of a week’s long phishing attack against the Bitcoin exchange Bitstamp, criminals stole about 5 million US dollars. A legitimate company sent the fraudsters a file by email and in Skype and convinced one of them to download a file. The attachment contained a malicious VBA script and when opened, installed a malicious file on the compromised machine.
Weak Protection of Employee Login Credentials
Very often, employees working at cryptocurrency exchanges use weak passwords or store their credentials in an unsafe way which makes the login credentials an easy target for criminals. At times, hackers attack the private computer system of employees. This brings the question of data security in companies and the ability of employees to take private and sensitive information to home. Thus, companies need to make sure employees keep their credentials safe and secure related to software applications installed not just on computers allocated to employees but also on their personal computers.
Missing Hot Wallet Protections
Many of the cryptocurrency exchanges use single private keys to secure hot wallets. If a criminal gets an access to a single private key, they will be able to hack the hot wallet to which the private key relates. Examples of private key attacks are the attacks on Bitfinex and Parity. The attacks resulted in losses of 65 million U.S. dollars (Bitfinex) and 30 million U.S. dollars (Parity). Cryptocurrency exchange platforms can simply avoid similar attacks by using multisignature private keys.
Several laws oblige banks and financial institutions to execute information security measures to protect client deposits and avoid unauthorized transactions. But, since the blockchain field is in its beginning stage, only a few laws apply to cryptocurrency exchanges. Thus, it is not by any chance that many cryptocurrency exchanges have vulnerabilities allowing hackers to steal considerable amounts of money.
Promoters of blockchain technologies claims that blockchain transactions are highly secure because they are recorded on an allegedly immutable record. But, they always forget to mention that each and every transaction has a signature which can be manipulated prior to the closure of the transaction. For instance, the Mt. Gox hack, one of the biggest attacks in the history of cryptocurrencies was conducted by hackers who submitted code changes to a public ledger before the posting of the initial transactions. The attack resulted in an immense loss, 473 million U.S. dollars and bankrupted the hacked cryptocurrency exchange platform.
The big number of cyber-attacks and various reports about security vulnerabilities of cryptocurrency exchange developmentdepict a pressing social need for regulation of the blockchain field. Most importantly, Government should need cryptocurrency exchanges to adopt security measures which will avoid the theft of billions of U.S. dollars.